Linear Secret-Sharing Schemes for Forbidden Graph Access Structures
Size: px
Start display at page:

Download "Linear Secret-Sharing Schemes for Forbidden Graph Access Structures"

Transcription

1 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures Amos Beimel 1, Oriol Farràs 2, Yuval Mintz 1, and Naty Peter 1 1 Ben Gurion University of the Negev, Be er Sheva, Israel 2 Universitat Rovira i Virgili, Tarragona, Catalonia, Spain amos.beimel@gmail.com, oriol.farras@urv.cat, mintzyuval@gmail.com, naty@post.bgu.ac.il Abstract. A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G = (V, E) if a pair of vertices can reconstruct the secret if and only if it is an edge in G. Secret-sharing schemes for forbidden graph access structures of bipartite graphs are equivalent to conditional disclosure of secrets protocols, a primitive that is used to construct attributed-based encryption schemes. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes. A secret-sharing scheme is linear if the reconstruction of the secret from the shares is a linear mapping. In many applications of secret-sharing, it is required that the scheme will be linear. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and dense graphs, closing the gap between upper and lower bounds: Given a sparse graph with n vertices and at most n 1+β edges, for some 0 β < 1, we construct a linear secret-sharing scheme realizing its forbidden graph access structure in which the total size of the shares is Õ(n1+β/2 ). We provide an additional construction showing that every dense graph with n vertices and at least ( n 2) n 1+β edges can be realized by a linear secretsharing scheme with the same total share size. Furthermore, for the above graphs we construct a linear secret-sharing scheme realizing their forbidden graph access structure in which the size of the share of each party is Õ(n 1/4+β/4 ). We prove matching lower bounds on the share size of linear secret-sharing schemes realizing forbidden graph access structures. We prove that for most forbidden graph access structures, the total share size of every linear secret-sharing scheme realizing these access structures is Ω(n 3/2 ); this shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0 β < 1 there exist a graph with at most n 1+β edges and a graph with at least ( n 2 ) n 1+β edges, such that the total share size in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n 1+β/2 ). Finally, we show that for every 0 β < 1 there exist a graph with at most n 1+β The first and the forth authors are supported by ISF grants 544/13 and 152/17 and by the Frankel center for computer science. The second author is supported by the European Union through H2020-ICT and H2020-DS , and by the Spanish Government through TIN C2-1-R.

2 2 A. Beimel, O. Farràs, Y. Mintz and N. Peter edges and a graph with at least ( n 2) n 1+β edges, such that the size of the share of at least one party in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n 1/4+β/4 ). This shows that our constructions are optimal (up to poly-logarithmic factors). Key words. Secret-sharing, share size, monotone span program, conditional disclosure of secrets. 1 Introduction A secret-sharing scheme, introduced by [14, 43, 35], is a method in which a dealer, which holds a secret, can distribute shares to a set of parties, enabling only predefined subsets of parties to reconstruct the secret from their shares. These subsets are called authorized, and the family of authorized subsets is called the access structure of the scheme. The original motivation for defining secret-sharing was robust key management schemes for cryptographic systems. Nowadays, they are used in many secure protocols and applications, such as multiparty computation [11, 21, 23], threshold cryptography [27], access control [41], attribute-based encryption [34, 48], and oblivious transfer [44, 47]. In this paper we study secret-sharing schemes for forbidden graph access structures, first introduced by Sun and Shieh [46]. The forbidden graph access structure determined by a graph G = (V, E) is the collection of all pairs of vertices in E and all subsets of vertices of size greater than two. Secret-sharing schemes for forbidden graph access structure determined by bipartite graphs are equivalent to conditional disclosure of secrets protocols. Following [7, 8], we study the complexity of realizing a forbidden graph, and provide efficient constructions for sparse and dense graphs. A secret-sharing scheme is linear if the shares are a linear function of the secret and random strings that are taken from some finite field. Equivalently, a scheme is linear if the reconstruction of the secret from the shares is a linear mapping. A linear secret-sharing can be constructed from a monotone span program, a computational model which introduced by Karchmer and Wigderson [37], and every linear secret-sharing scheme implies a monotone span program. See [4] for discussion on equivalent definitions of linear secret-sharing schemes. In many of the applications of secret-sharing mentioned above, it is required that the scheme will be linear. For example, Cramer, Damgård, and Maurer [23] construct general secure multiparty computation protocols, i.e., protocols which are secure against an arbitrary adversarial structure, from any linear secret-sharing scheme realizing the access structure in which a set is authorized if and only if it is not in the adversarial structure. Furthermore, it was shown by Attrapadung [3] and Wee [49] that linear secret-sharing schemes realizing forbidden graphs access structures are a central ingredient for constructing public-key (multi-user) attribute-based encryption. These applications motivate the study in this paper of linear secret-sharing schemes for forbidden graph access structures.

3 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures Related Work Secret-Sharing Schemes for Arbitrary Access Structures. Secret-sharing schemes were introduced by Shamir [43] and Blakley [14] for the threshold case, and by Ito, Saito, and Nishizeki [35] for the general case. Threshold access structures, in which the authorized sets are all the sets containing at least t parties (for some threshold t), can be realized by secret-sharing schemes in which the size of each share is the size of the secret [14, 43]. There are other access structures that have secret-sharing schemes in which the size of the shares is small, i.e., polynomial (in the number of parties) share size [12, 13, 17, 37]. In particular, Benaloh and Leichter [12] proved that if an access structure can be described by a small monotone formula, then it has an efficient secret-sharing scheme. Improving on this result, Karchmer and Wigderson [37] showed that if an access structure can be described by a small monotone span program, then it has an efficient secret-sharing scheme. The best known schemes for general access structures (e.g., [35, 13, 17, 37]) are highly inefficient, i.e., they have total share size of 2 O(n) (where n is the number of parties). The best known lower bound on the total share size of secret-sharing schemes realizing an access structure is Ω(n 2 / log n) [25, 24]; this lower bound is very far from the upper bound. Graph Access Structures. A secret-sharing scheme realizes the graph access structure determined by a given graph if every two vertices connected by an edge can reconstruct the secret and every independent set in the graph does not get any information on the secret. The trivial secret-sharing scheme for realizing a graph access structure is sharing the secret independently for each edge; this results in a scheme whose total share size is O(n 2 ) (times the length of the secret, which will be ignored in the introduction). This can be improved every graph access structure can be realized by a linear secret-sharing scheme in which the total size of the shares is O(n 2 / log n) [29, 19]. Graph access structures have been studied in many works, such as [20, 18, 45, 16, 15, 9, 26, 7, 8]. In particular, Beimel, ( Farràs, and Mintz [7] showed that a graph with n vertices that contains n ) 2 n 1+β edges for some constant 0 β < 1 can be realized by a scheme in which the total share size is Õ(n5/4+3β/4 ). Forbidden Graph Access Structures. Gay, Kerenidis, and Wee [32] have proved that every forbidden graph access structure can be realized by a linear secret-sharing scheme in which the total size of the shares is O(n 3/2 ). Liu, Vaikuntanathan, and Wee [38] have recently shown that every forbidden graph access structure can be realized by a non-linear secret-sharing scheme in which the total size of the shares is n 1+o(1). Beimel, Farràs, and Peter [8] showed that any graph with n vertices and with at least ( n 2) n 1+β edges (for some constant 0 β < 1 2 ) can be realized by a linear secret-sharing scheme in which the total share size is O(n 7/6+2β/3 ). They also showed that if less than n 1+β edges are removed from an arbitrary graph

4 4 A. Beimel, O. Farràs, Y. Mintz and N. Peter that can be realized by a secret-sharing scheme with total share size m, then the resulting graph can be realized by a secret-sharing scheme in which the total share size is O(m + n 7/6+2β/3 ). These results are improved in this paper. Secret-sharing schemes for graph access structures and forbidden graph access structures have similar requirements, however, the requirements for graph access structures are stronger, since in graph access structures independent sets of vertices should not get any information on the secret. Given a secret-sharing scheme for a graph access structure, we can construct a secret-sharing scheme for the forbidden graph access structure: We can independently share the secret using the scheme for the graph access structure and the 3-out-of-n scheme of Shamir [43]. The total share size of the new scheme is slightly greater than the former. Therefore, upper bounds on the share size for graph access structures imply the same upper bounds on the share size for forbidden graph access structures. Conditional Disclosure of Secrets. Gertner et al. [33] defined conditional disclosure of secrets (CDS). In this problem, two parties Alice and Bob want to disclose a secret to a referee if and only if their inputs (strings of N bits) satisfy some predicate (e.g., if their inputs are equal). To achieve this goal, each party computes one message based on its input, the secret, and a common random string, and sends the message to the referee. If the predicate holds, then the referee, which knows the two inputs, can reconstruct the secret from the messages it received. In [33], CDS is used to efficiently realize symmetricallyprivate information retrieval protocols. In [32], it is shown that CDS can be used to construct attribute-based encryption, a cryptographic primitive introduced in [34, 42]. We can represent the CDS for some predicate as the problem of realizing a secret-sharing scheme for a forbidden graph access structure of a bipartite graph and vice-versa: Every possible input for Alice is a vertex in the first part of the graph and every possible input for Bob is a vertex in the second part of the graph, and there is an edge between two vertices from different parts if and only if the two corresponding inputs satisfy the predicate. Given a CDS protocol for a predicate, we construct a secret-sharing scheme realizing the bipartite graph defined by the predicate in which the share of party z is the message sent in the CDS protocol to the referee by Alice or Bob (depending on z s part of the graph) when they hold the input z. Thus, given a predicate P, we get a bipartite graph with n = 2 N vertices in each part (where N is the size of the input of the parties) such that the length of the messages required in a CDS for P is the length of the shares required by a secret-sharing realizing the forbidden graph access structure. Gertner et al. [33] have proved that if a predicate P has a (possibly nonmonotone) formula of size S, then there is a CDS protocol for P in which the length of the messages is S. A similar result holds if the predicate has a (possibly non-monotone) span program, or even a non-monotone secret-sharing scheme (this is a secret-sharing scheme realizing an access structure defined in [33] in

5 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 5 which for every bit in the input there are two parties, one for every value of the bit). This result provides a rich class of predicates for which there are efficient CDS protocols. Thus, there is a rich class of forbidden graph access structures that can be realized by efficient secret-sharing schemes (by the equivalence between CDS and secret-sharing schemes for forbidden graph access structures). It was shown in [32] that for every predicate there exists a linear CDS such that the size of each of the messages sent by the two parties to the referee is 2 N/2. 3 This implies that for every bipartite graph there exists a linear secretsharing scheme realizing the forbidden graph access structure in which the size of each share is O(n 1/2 ) (where n is the number of the parties); in particular, the total share size of this scheme is O(n 3/2 ). Liu et al. [38] have recently shown that every predicate has a non-linear CDS scheme in which the size of the messages the parties send to the referee is 2 O( N log N). As a corollary, we get a non-linear secret-sharing scheme realizing the forbidden graph access structure for every bipartite graph with n vertices, in which the size of each share is n O( log log n/ log n) = n o(1) ; in particular, the total share size of this scheme is n 1+O( log log n/ log n) = n 1+o(1). By a transformation of [10, 8], the above two results hold for every graph (not necessarily bipartite). Applebaum et al. [2] and Ambrona et al. [1] have shown that if we have a linear CDS for some predicate P with message length c and shared random string length r, then we can construct a linear CDS for the complement predicate P in which the message length and the shared random string length is linear in c and r. Translated to secret-sharing, we conclude that if we have a linear secret-sharing scheme that uses r random field elements in the generation of the shares and realizes the forbidden graph access structure of a bipartite graph G, then we can realize its complement bipartite graph G with a linear scheme in which the size of each share is O(r). Another result shown in [2] is that for every predicate there exists a linear CDS for secrets of k bits, where k is double-exponential in N, such that the size of each of the messages sent by the two parties to the referee is O(k N). This gives us an amortized size of O(N) bits per each bit of the secret, much better than the size of 2 N/2 for one-bit secret that was shown in [32]. When considering forbidden graph access structures, we get that for every forbidden bipartite graph access structure with n vertices there exists a linear secret-sharing scheme with secrets of length k and total share size of O(kn log n), provided that the size of the secret k is exponential in n. 1.2 Our Results The main result we show in this paper is the construction of linear secret-sharing schemes realizing forbidden graph access structures for sparse graphs and dense graphs. We also prove tight lower bounds on the share size of linear secret-sharing schemes realizing forbidden graph access structures. 3 A linear CDS is a CDS in which if the predicate holds, then the reconstruction function of the referee is linear.

6 6 A. Beimel, O. Farràs, Y. Mintz and N. Peter Constructions. Our main constructions of linear secret-sharing schemes are the following ones: Given a sparse graph with n vertices and at most n 1+β edges, for some 0 β < 1, we construct a linear secret-sharing scheme that realizes its forbidden graph access structure with the total size of the shares is Õ(n1+β/2 ). The best previously known linear secret-sharing scheme for such graphs is the trivial scheme that independently shares the secret for each edge; the total share size of this scheme is O(n 1+β ). Given a dense graph with n vertices and at least ( n 2) n 1+β edges, for some 0 β < 1, we construct a linear secret-sharing scheme that realizes its forbidden graph access structure with total share size Õ(n1+β/2 ). The best previously known linear secret-sharing scheme for such graphs is the scheme of [8], which has total share size O(n 7/6+2β/3 ). Given a sparse graph with n vertices and at most n 1+β edges, for some 0 β < 1, we construct a linear secret-sharing scheme that realizes its forbidden graph access structure such that the size of the share of each party is Õ(n1/4+β/4 ). The same results holds for forbidden graph access structures of dense graphs with at least ( n 2) n 1+β edges. The best previously known linear secret-sharing scheme for such graphs is the scheme of [32], which has no restrictions on the number of edges; the share size of each party in this scheme is O(n 1/2 ). As a corollary, we construct a secret-sharing scheme for forbidden graph access structures of graphs obtained by changing (adding or removing) few edges from an arbitrary graph G. If the forbidden graph access structure determined by a graph G can be realized by a secret-sharing scheme with total share size m and G is obtained from G by changing at most n 1+β edges, for some 0 β < 1, then we construct a secret-sharing scheme realizing the forbidden graph access structure of G with total share size m + Õ(n1+β/2 ). If the secret-sharing scheme realizing the forbidden graph access structure determined by G is linear, then the resulting scheme realizing the forbidden graph access structure determined by G is also linear. Taking into account the connection described above between CDS protocols and secret-sharing schemes for forbidden graph access structures, our constructions imply linear CDS protocols with message size 2 N(1/4+β/4) for two families of predicates f : {0, 1} N {0, 1} N {0, 1}, predicates f with few zeros, i.e. {(x, y) : f(x, y) = 0} 2 N(1+β) (for some 0 β < 1) and predicates f with few ones, i.e. {(x, y) : f(x, y) = 1} 2 N(1+β). Overview of Our Constructions. We construct the secret-sharing scheme realizing forbidden graph access structures determined by sparse graphs in few stages, where in each stage we restrict the forbidden graph access structures that we can realize. We start by realizing fairly simple bipartite graphs, and in each stage we realize a wider class of graphs using the schemes constructed in previous stages.

7 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 7 Our basic construction, described in Lemma 3.2, is a linear secret-sharing scheme realizing a forbidden graph access structure for a bipartite graph G = (A, B, E), where A is small and the degree of each vertex in B is at most d, for some d < n. To construct this scheme, we construct a linear subspace V a for each vertex a A, and a vector z b for every vertex b B, such that z b V a if and only if (a, b) E. The total size of the shares in the scheme we construct is O(d A + B ). A naive scheme for this graph, which shares the secret independently for each edge, has total share size O(d B ). Our scheme is much more efficient than the naive scheme when A is small and B is big. This is the scheme that enables us to construct efficient schemes for sparse forbidden graph access structures. In the second stage, we construct, in Lemma 4.1, a secret-sharing scheme for a forbidden graph access structure for a bipartite graph G = (A, B, E), where the degree of every vertex in B is at most d (and there is no restriction that A is small). Then, we construct in Theorem 4.2 a secret-sharing scheme with total share size O(n d log n) for bipartite graphs with A = B = n, where the vertices in B have degree at most d. The idea of this construction is to randomly partition the set A to l = O( d ln n) = Õ( d) small sets A 1,..., A l. We prove that with high probability, for every 1 i l, the degree of every vertex b B in the bipartite graph G i = (A i, B, E (A i B)) is at most O( d) (compared to its degree in G, which can be at most d). We now realize each sparse graph G i using the basic scheme. In the third stage, we construct, in Theorem 4.3, a secret-sharing scheme for a bipartite graph G = (A, B, E), where the number of edges in G is at most n 1+β for some 0 β < 1 (where A = B = n). That is, we realize forbidden graph access structures for bipartite graphs where the average degree of each vertex in B is at most n β. To this purpose, we use an idea from [7] (also used in [8]). Fix some degree d, and let B big be the vertices in B whose degree is at least d. Furthermore, let B small = B \ B big. Since the number of edges in G is at most n 1+β, the size of B big is at most n 1+β /d. Using the fact that B big is small (however, the degree of each vertex in B big can be n), the secret-sharing scheme of [32] (alternatively, the scheme of Lemma 4.1) realizes the graph G big = (A, B big, E (A B big )) with quite small shares. Using the fact that the degree of each vertex in B small is small, the secret-sharing scheme of Lemma 4.1 realizes G small = (A, B small, E (A B small )) with total share size O(n d log n). By taking the appropriate value for d, we get a secret-sharing scheme realizing G in which (for small enough values of β) the total share size is o(n 1+β ), but still larger than the promised total share size. To get a secretsharing scheme realizing G with total share size Õ(n1+β/2 ), we group the vertices in B into O(log n) sets according to their degree, where the ith set B i contains the vertices whose degree is between n/2 i+1 and n/2 i. We realize each graph G i = (A, B i, E (A B i )) independently using the secret-sharing scheme of Lemma 4.1. In the last stage, we construct, in Theorem 4.4, a secret-sharing scheme for any forbidden graph access structure with the promised total share size. That is,

8 8 A. Beimel, O. Farràs, Y. Mintz and N. Peter if the number of edges in G is at most n 1+β for some 0 β < 1 (where V = n), then the total share size is Õ(n1+β/2 ). The last stage is done using a generic transformation of [10, 8], which constructs a secret-sharing scheme for any graph from secret-sharing schemes for bipartite graphs. To summarize, there are 4 stages in our construction for sparse graphs. The first two stages are the major new steps in our construction. The third stage uses ideas from [7], however, it requires designing appropriate secret-sharing schemes in the first two stages. In the last stage, we use a transformation of [10, 8] as a black-box. The construction for forbidden graph access structures determine by dense graphs is similar, however, we construct a different scheme for the first stage. The construction of a scheme realizing a forbidden graph access structure determined by a graph G obtained by adding or removing few edges from a graph G is done using ideas from [8] as follows: First, we share the secret s using the secret-sharing scheme realizing the sparse graph containing all edges added to G (we add at most n 1+β to G). In addition, we share the secret s using a 2-out-of-2 secret-sharing scheme. That is, we choose two random elements s 1 and s 2 such that s = s 1 s 2. We share s 1 using the scheme of the graph G and share s 2 using the secret-sharing scheme realizing the dense graph containing all possible edges except for the edges removed from G (this graph is a dense graph with at least ( n 2) n 1+β edges, since we remove at most n 1+β from G). Next, we construct a linear secret-sharing scheme realizing bipartite graphs G = (A, B, E), where A = B = n and the number of edges in G is at most n 1+β, for some 0 β < 1, in which the share size of each vertex is O(n 1/4+β/4 log n). The construction of this scheme is similar to the construction of our previous scheme that presented in the third stage. Let d = n 1/2+β/2, and let A big (respectively, B big ) be the vertices in A (respectively, B) whose degree is at least d. Furthermore, let A small = A \ A big (respectively, B small = B \ B big ). Since the number of edges in G is at most n 1+β, the size of A big (respectively, B big ) is at most n 1+β /d = n 1/2+β/2. Thus, we can realize the graph (A big, B big, E (A big B big )) using the scheme of [32] in which the share size of each vertex is O((n 1/2+β/2 ) 1/2 ) = O(n 1/4+β/4 ). Next, since the degree of each vertex in A small (respectively, B small ) is at most d, we can realize each of the graphs (A, B small, E (A B small )), (A small, B, E (A small B)) using our scheme of the second stage in which the share size of each vertex is O( d log n) = O(n 1/4+β/4 log n), and get the desired share size. Lower Bounds. We prove that for most forbidden graph access structures, the total share size of every linear secret-sharing scheme realizing these access structures, with a one-bit secret, is Ω(n 3/2 ), which shows that the construction of Gay et al. [32] is optimal. This also shows a separation between the total share size in non-linear secret-sharing schemes realizing forbidden graph access structures, which is n 1+o(1) by [38], and the total share size required in linear secret-sharing schemes realizing forbidden graph access structures. This lower

9 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 9 bound implies that, for most predicates P : {0, 1} N {0, 1} N {0, 1}, in every linear CDS protocol for P the length of the messages is Ω(2 N/2 ). Furthermore, we show that for every 0 β < 1 there exist a graph with at most n 1+β edges and a graph with at least ( n 2) n 1+β edges, such that the total share size in any linear secret-sharing scheme realizing their forbidden graph access structures is Ω(n 1+β/2 ). Finally, we show for every 0 β < 1 there exist a graph with at most n 1+β edges and a graph with at least ( n 2) n 1+β edges, such that the size of the share of at least one party in any linear secret-sharing scheme realizing their forbidden graph access structures is Ω(n 1/4+β/4 ). These lower bounds show that our constructions are optimal (up to poly-logarithmic factors). Our lower bounds are existential and use counting arguments. They previously appeared (in a somewhat less general form) in the master thesis of the third author of this paper [39]. 2 Preliminaries We denote the logarithmic function with base 2 and base e by log and ln, respectively. We denote vectors by bold letters, e.g., v. 2.1 Secret-Sharing We present the definition of secret-sharing scheme as given in [22, 6]. For more information about this definition and secret-sharing in general, see [5]. Definition 2.1 (Secret-Sharing Schemes). Let P = {p 1,..., p n } be a set of parties. A collection Γ 2 P is monotone if B Γ and B C imply that C Γ. An access structure is a monotone collection Γ 2 P of non-empty subsets of P. Sets in Γ are called authorized, and sets not in Γ are called unauthorized. The family of minimal authorized subsets is denoted by min Γ. A distribution scheme Σ = Π, µ with domain of secrets K is a pair, where µ is a probability distribution on some finite set R called the set of random strings and Π is a mapping from K R to a set of n-tuples K 1 K 2 K n, where K j is called the domain of shares of p j. A dealer distributes a secret k K according to Σ by first sampling a random string r R according to µ, computing a vector of shares Π(k, r) = (s 1,..., s n ), and privately communicating each share s j to party p j. For a set A P, we denote Π A (k, r) as the restriction of Π(k, r) to its A-entries (i.e., the shares of the parties in A). Given a distribution scheme, define the size of the secret as log K, the (normalized) share size of party p j as log K j / log K, the (normalized) max share size as max 1 j n log K j / log K, and the (normalized) total share size of the distribution scheme as 1 j n log K j / log K. Let K be a finite set of secrets, where K 2. A distribution scheme Π, µ with domain of secrets K is a secret-sharing scheme realizing an access structure Γ if the following two requirements hold: Correctness. The secret k can be reconstructed by any authorized set of parties. That is, for any set B = {p i1,..., p i B } Γ, there exists a reconstruction

10 10 A. Beimel, O. Farràs, Y. Mintz and N. Peter function Recon B : K i1... K i B K such that for every secret k K and every random string r R, ) Recon B (Π B (k, r) = k. Privacy. Every unauthorized set cannot learn anything about the secret (in the information theoretic sense) from their shares. Formally, for any set T / Γ, every two secrets a, b K, and every possible vector of shares s j pj T, Pr[ Π T (a, r) = s j pj T ] = Pr[ Π T (b, r) = s j pj T ], when the probability is over the choice of r from R at random according to µ. Definition 2.2 (Linear Secret-Sharing Scheme). Let Σ = Π, µ be a secret-sharing scheme with domain of secrets K, where µ is a probability distribution on a set R and Π is a mapping from K R to K 1 K 2 K n. We say that Σ is a linear secret-sharing scheme over a finite field F if K = F, the sets R, K 1,..., K n are vector spaces over F, Π is a F-linear mapping, and µ is the uniform probability distribution over R. 2.2 Monotone Span Programs Monotone span programs (abbreviated MSPs) are a linear-algebraic model of computation introduced by Karchmer and Wigderson [37]. As explained below in Claim 2.4, MSPs over finite fields are equivalent to linear secret-sharing schemes. Definition 2.3 (Monotone Span Programs [37]). A monotone span program is a quadruple M = F, M, δ, v, where F is a field, M is an a b matrix over F, δ : {1,..., a} P (where P is a set of parties) is a mapping labeling each row of M by a party, 4 and v is a non-zero vector in F b, called the target vector. The size of M is the number of rows of M (i.e., a). For any set A P, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. We say that M accepts a set B P if the rows of M B span the vector v. We say that M accepts an access structure Γ where M accepts a set B if and only if B Γ. By applying a linear transformation to the rows of M, the target vector can be changed to any non-zero vector without changing the size of the MSP. The default value for the target vector is e 1 = (1, 0,..., 0), but in this work we also use other vectors, e.g., 1 (the all one s vector). Claim 2.4 ([37, 4]). Let F be a finite field. There exists a linear secret-sharing scheme over F realizing Γ with total share size a if and only if there exists an MSP over F of size a accepting Γ. 4 We label a row by a party rather than by a variable x j as done in [37].

11 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 11 For the sake of completeness, we explain how to construct a linear secretsharing scheme from an MSP. Given an MSP M = F, M, δ, e 1 accepting Γ, where M is an a b matrix over F, define a linear secret-sharing scheme as follows: Input: a secret k F. Choose b 1 random elements r 2,..., r b independently with uniform distribution from F and define r = (k, r 2,..., r b ). Evaluate (s 1,..., s a ) = Mr T, and distribute to each party p P the entries corresponding to rows labeled by p. In this linear secret-sharing scheme, every set in Γ can reconstruct the secret: Let B Γ and N = M B, thus, the rows of N span e 1, and there exists some vector v such that e 1 = vn. Notice that the shares of the parties in B are Nr T. The parties in B can reconstruct the secret by computing v(nr T ), since v(nr T ) = (vn)r T = e 1 r T = k. The proof of the privacy of this scheme can be found in [37, 5]. 2.3 Graphs and Forbidden Graph Access Structures Recall that a bipartite graph G = (A, B, E) is a graph where the vertices are A B (A and B are called the parts of G) and E A B. A bipartite graph is complete if E = A B. Definition 2.5 (The Bipartite Complement). Let G = (A, B, E) be a bipartite graph. The bipartite complement of G is the bipartite graph G = (A, B, E), where every a A and b B satisfy (a, b) E if and only if (a, b) / E. Definition 2.6 (Forbidden Graph Access Structures). Let G = (V, E) be a graph. The forbidden graph access structure defined by G is the collection of all pairs of vertices in E and all subsets of vertices of size greater than two. 5 Remark 2.7. When we say that a secret-sharing scheme realizes a graph G, we mean that the scheme realizes the forbidden graph access structure of the graph G. Remark 2.8. In applications of secret-sharing schemes for forbidden graph access structures (e.g., conditional disclosure of secrets), the only requirement is that pairs of vertices can reconstruct the secret if and only if they are connected by an edge. To fully specify the access structure of a forbidden graph, we also require that all sets of 3 or more vertices are authorized. This additional requirement only slightly increases the total share size required to realize forbidden graph access structures, since we can independently share the secret using the 3-outof-n scheme of Shamir [43], in which the size of the share of every party is the size of the secret (when the size of the secret is at least log n). To simplify the description of our schemes, in all our construction in Sections 3 to 5 we implicitly assume that we share the secret using Shamir s 3-out-of-n secret-sharing scheme. 5 In [46], the access structure is specified by the complement graph, i.e., by the edges that are forbidden from learning information on the secret.

12 12 A. Beimel, O. Farràs, Y. Mintz and N. Peter 2.4 Conditional Disclosure of Secrets For completeness, we present the definition of conditional disclosure of secrets, originaly defined in [33]. Definition 2.9 (Conditional Disclosure of Secrets). Let f : {0, 1} N {0, 1} N {0, 1} be some function, and let Enc A : {0, 1} N S R M A, Enc B : {0, 1} N S R M B be deterministic functions (also called predicate), where S is the domain of secrets and R is the domain of the common random strings, and Dec : {0, 1} N {0, 1} N M A M B S be a deterministic function. Then, (Enc A, Enc B, Dec) is a conditional disclosure of secrets (CDS) protocol for the function f if the following two requirements hold: Correctness. For every x, y {0, 1} N with f(x, y) = 1, every secret s S, and every common random string r R, Dec(x, y, Enc A (x, s, r), Enc B (y, s, r)) = s. Privacy. For every x, y {0, 1} N with f(x, y) = 0, every two secrets s 1, s 2 S, and every messages m A M A, m B M B : Pr[ Enc A (x, s 1, r) = m A and Enc B (y, s 1, r) = m B ] = Pr[ Enc A (x, s 2, r) = m A and Enc B (y, s 2, r) = m B ], when the probability is over the choice of r from R at random with uniform distribution. 3 The Basic Construction for Graphs of Low Degree Our basic construction requires the following construction of linear spaces, which will be used both for sparse graphs and for dense graphs. Claim 3.1. Let G = (A, B, E) be a bipartite graph with A = {a 1,..., a m }, B = {b 1,..., b n } such that the degree of every vertex in B is at most d and let F be a finite field with F m. Then, there are m linear subspaces V 1,..., V m F d+1 of dimension d and n + 1 vectors z 1,..., z n, w F d+1 such that and w / V i for every 1 i m. z j V i if and only if (a i, b j ) E, Proof. We identify vectors in F d+1 with polynomials of degree at most d in the indeterminate X. That is, for a vector v F d+1 we consider a polynomial v(x) F[X] of degree d in which the coefficient of degree i is the (i + 1)-th coordinate of v. For each vertex a i A, we associate a distinct element α i F. We define the subspace V i F d+1 of dimension d as the one associated to the space of

13 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 13 polynomials P (X) of degree at most d such that P (α i ) = 0, i.e., the space of polynomials spanned by { (X α i ), (X 2 α i X),..., (X d α i X d 1 ) }. Since these d polynomials are independent, the dimension of each V i is d. Furthermore, for a vertex b j B, whose neighbors are a i1, a i2,..., a id (for some d d), we define z j (X) = (X α i1 ) (X α i2 )... (X α id ). Note that z j V i if and only if z j (α i ) = 0 if and only if α i { } α i1, α i2,..., α id if and only if (a i, b j ) E. Finally, define w(x) = 1. For every 1 i m, since w(α i ) = 1 and v(α i ) = 0 for every v V i, the vector w is not in V i. Lemma 3.2. Let G = (A, B, E) be a bipartite graph with A = m, B = n, such that the degree of every vertex in B is at most d. Then, there is a linear secret-sharing scheme realizing G with total share size n + (d + 1)m. Proof. Denote A = {a 1,..., a m }, B = {b 1,..., b n }, and let V 1,..., V m and z 1,..., z n be the linear subspaces and vectors guaranteed by Claim 3.1. We construct a monotone span program accepting G, where there are d + 1 rows labeled by a i for every 1 i m and one row labeled by b j for every 1 j n. By Claim 2.4, this implies the desired linear secret-sharing scheme. Let {v i,1,..., v i,d } be a basis of V i, and for 1 l d, define v i,l = (0, 0, v i,l) (that is, v i,l is a vector in Fd+3 whose first two coordinates are 0 followed by the vector v i,l ). The rows labeled by a i are v i,1,..., v i,d and (0, 1, 0,..., 0). The row labeled by b j is z j = (1, 0, z j ). The target vector is (1, 1, 0,..., 0). The monotone span program accepts } (a i, b j ) if and only if (1, 1, 0,..., 0) span {z j, v i,1,..., v i,d, (0, 1, 0,..., 0) if and only if z j span {v i,1,..., v i,d } if and only if z j V i if and only if (a i, b j ) E. Furthermore, two vertices from the same part do not span (1, 1, 0,..., 0): For two vertices in A, this follows since the first coordinate in all vectors they label is 0. For two vertices in B, this follows since the second coordinate in the vectors they label is 0. Therefore, the monotone span program accepts G. We next show that Lemma 3.2 can be used to realize every bipartite graph by a linear secret-sharing scheme with total share size O(n 3/2 ). This scheme has the same total share size as the linear secret-sharing scheme of [32]. This construction is presented as a warmup for our construction for bipartite graphs with bounded degree. Lemma 3.3. Let G = (A, B, E) be a bipartite graph such that A = B = n. Then, there is a linear secret-sharing scheme realizing G with total share size O(n 3/2 ). Proof. We arbitrarily partition A into n sets, A 1,..., A n, each set of size at most n. By Lemma 3.2, the bipartite graph (A i, B, E (A i B)) (in which every vertex in B has at most A i = n neighbors) can be realized by a linear secret-sharing scheme with total share size O(n + ( n + 1) n) = O(n). We use

14 14 A. Beimel, O. Farràs, Y. Mintz and N. Peter this construction for each of the n sets A 1,..., A n. Hence, the total share size of the resulting scheme is O(n 3/2 ). It can be verified that in the secret-sharing scheme of Lemma 3.3, the size of the share of each vertex is O(n 1/2 ). 4 Secret-Sharing Schemes for Sparse Graphs In this section we present efficient secret-sharing schemes for forbidden graph access structures of sparse graphs, that is, graphs with at most n 1+β edges for some 0 β < 1. The main result is Theorem 4.4, where we show that these graphs admit secret-sharing schemes with total share size O(n 1+β/2 log 3 n). Its proof is involved, and we use several intermediate results. First, we construct an efficient secret-sharing schemes for sparse bipartite graphs. In the construction for a sparse bipartite graph G = (A, B, E) in Theorem 4.3 we partition the vertices in B into O(log n) sets according to their degree, that is, the vertices in the ith set B i are the vertices whose degrees are between n/2 i+1 and n/2 i. We realize each graph G i = (A, B i, E (A B i )) independently using the secretsharing scheme of Lemma 4.1. This methodology is the same as in [7, 8]. The main new technical result in this section is Lemma 4.1, and it is the basis of this construction. Finally, using a transformation that appeared in [10], we use the schemes for sparse bipartite graphs to construct a scheme for general sparse graphs. Lemma 4.1. Let G = (A, B, E) be a bipartite graph with A = n, B n such that the degree of each vertex in B is at most d for some d n. If d B n log 2 n, then there is a linear secret-sharing scheme realizing G with total share size O( n B d log n). Proof. Let δ = log n d (that is, d = n δ ), γ = log n B (i.e., B = n γ ), and α = γ 2 δ 2, (1) and denote l = 2n 1 α ln n. We first prove that there are sets A 1,..., A l A of size n α that satisfy the following properties: (I) l i=1 A i = A, and (II) for every 1 i l, the degree of the vertices in B in the graph G i = (A i, B, E (A i B)) is at most 12n α+δ 1. For each 1 i l, we independently choose A i with uniform distribution among the subsets of A of size n α. We show that, with positive probability, A 1,..., A l satisfy properties (I) and (II). First, we analyze the probability that (I) does not hold. Pr [A A i ] Pr [a / A i ] = l Pr [a / A i ] = ) l (1 nα n a A a A i=1 a A a A e l/n1 α = n 1 n 2 = 1 n.

15 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 15 Now we show that the probability that the sets A 1,..., A l do not satisfy Property (II) is less than 1/4. Fix an index 1 i l and a vertex b B. We analyze the probability that the degree of b in G i is larger than 12n α+δ 1. We view the choice of the random set A i as a process of n α steps, where in the jth step we uniformly choose a vertex a j A amongst the vertices that have not been chosen in the first j 1 steps. Using this view of choosing A i, we define the following binary random variables Z 1,..., Z n α, where Z j = 1 if (a j, b) is an edge of G i, and 0 otherwise. Then, we consider Z = n α j=1 Z j, that is, Z is the degree of b in G i. We would like to apply a Chernoff bound to these variables, however, they are not independent. We use Z 1,..., Z n α to define new random variables Z 1,..., Z n α that are independent. For every vector z = (z t ) t j, let p z = Pr[Z j = 1 Z t = z t for all t j]. By convention, if Pr[Z t = z t for all t j] = 0, then p z = 0. Note that p z nδ n n α 2 n 1 δ, where d = n δ is the upper bound on the degree of b given in the lemma. Observe that the last inequality follows because n 1/2 n δ/2+γ/2 / log n, and so n α = n 1/2+γ/2 δ/2 n (δ/2+γ/2)+γ/2 δ/2 / log n n/2, obtaining that n n α n/2. The random variables Z 1,..., Z n are defined as follows: Let z 1,..., z α n α be the values given to Z 1,..., Z n α. If z j = 1, then Z j = 1 and if z j = 0, then Z j = 1 with probability (2/n1 δ p z )/(1 p z ) and Z j = 0 otherwise. Thus, Pr[Z j = 1 Z t = z t for all t j] = 2/n 1 δ. Therefore, Z j is independent of (Z t ) t j, and, hence, independent of (Z t) t j. Let Z = n α j=1 Z j. The expected value of Z is n α 2/n 1 δ = 2n α+δ 1. Using a Chernoff bound [40, Theorem 4.4, (4.3)], we obtain Pr [ Z > 12n α+δ 1] Pr [ Z > 12n α+δ 1] 2 12nα+δ 1. By (1) and since n γ+δ n log 2 n, we obtain n α+δ 1 = n γ/2+δ/2 1/2 log n. Thus, Pr [ Z > 12n α+δ 1] 1/n 12 1/(4nl). Property (II) holds if for every b B and every 1 i l, the degree of b in G i is at most 12n α+δ 1. By the union bound, the probability that (II) does not hold is at most 1/4. Thus, again by the union bound, the probability that random sets A 1,..., A l satisfy properties (I) and (II) is greater than 1/2, and, in particular, such sets exist. Given valid sets A 1,..., A l, we construct a secret-sharing scheme for each bipartite graph G i = (A i, B, E (A i B)) using Lemma 3.2. In each one of

16 16 A. Beimel, O. Farràs, Y. Mintz and N. Peter these subgraphs, the degree of each vertex in B is at most 12n α+δ 1. Hence, the total share size of the resulting scheme will be l ( B + Ai (12n α+δ 1 + 1) ) = O ( l(n γ + n α n α+δ 1 ) ) i=1 = O ( n 1 α ln n(n γ + n 2α+δ 1 ) ) = O ( log n(n 1+γ α + n α+δ ) ). This value is minimized when 1 + γ α = α + δ, that is, when α = γ 2 δ 2 (this explains our choice of α). Using this value of α, we obtain total share size of O(n 1/2+γ/2+δ/2 log n). The following theorem is a special case of the above lemma, when A = B. In the proof of Theorem 4.3 below, we also use Lemma 4.1. Theorem 4.2. Let G = (A, B, E) be a bipartite graph such that A = B = n and the degree of every vertex in B is at most d for some d n. Then, there is a linear secret-sharing scheme realizing G in which the share size of each vertex is O( d log n). The total share size of this scheme is O(n d log n). Proof. If d < log 2 n, we use the secret-sharing scheme of Lemma 3.2; in this scheme the share size of each vertex is O(d) = O( d log n), and the total share size is O(n d log n). Otherwise, d log 2 n, and let δ = log n d, l = 2n δ/2 ln n, and A 1,..., A l A be the sets of size n 1 δ/2 guarantied from Lemma 4.1 (taking γ = 1). We can assume that each vertex in A is a member of exactly one set (by removing the vertex from every set except from one). Note that the sets still satisfy the two desired properties. Next, as in Lemma 4.1, we construct a secret-sharing scheme for each bipartite graph G i = (A i, B, E (A i B)) (for 1 i l) using the scheme of Lemma 3.2. The degree of each vertex in B in the graph G i is at most 12n δ/2 = O( d). Every vertex in B participates in l schemes, and gets a share of size one in each of these schemes. Hence, the share size of every vertex in B is l = O( d log n). Every vertex in A participates in one scheme, and gets a share of size 12n δ/2 + 1 = O( d) in this scheme. Overall, the share size of each vertex in the resulting scheme is O( d log n), and the total share size is O(n d log n). Theorem 4.3. Let G = (A, B, E) be a bipartite graph with A = B = n and with at most n 1+β edges, for some constant 0 β < 1. Then, there is a linear secret-sharing scheme realizing G with total share size O(n 1+β/2 log 2 n). Proof. If n β log 2 n, we use the trivial secret-sharing scheme, where we share the secret independently for each edge; in this scheme the total share size is O(n 1+β ) = O(n 1+β/2 log n).

17 Linear Secret-Sharing Schemes for Forbidden Graph Access Structures 17 We next deal with the interesting case where n β > log 2 n. In this case, we partition the vertices in B according to their degree, that is, for i = 0,..., (1 β) log n 1, define { n B i = b B : 2 i+1 < deg(b) n } 2 i and B small = { b B : deg(b) n β}, and G i = (A, B i, E (A B i )). We realize each graph G i, for i = 0,..., (1 β) log n 1, using Lemma 4.1. Since the number of edges in G is at most n 1+β and the degree of every vertex in B i is at least n/2 i+1, the number of vertices in B i is at most n1+β n/2 = 2 i+1 n β. i+1 By adding dummy vertices to B i with degree 0, we can assume that B i = 2 i+1 n β. By Lemma 4.1, there is a secret-sharing scheme realizing the forbidden graph access structure of G i with total share size O( n 2 i+1 n β n/2 i log n) = O(n 1+β/2 log n). Note that, as required in Lemma 4.1, d B i = n/2 i 2 i+1 n β n log 2 n. Finally, we realize (A, B small, E (A B small )) using the secret-sharing scheme of Theorem 4.2; the total share size of this scheme is O(n 1+β/2 log n) as well. Since we use 1+(1 β) log n schemes, the total share size of the resulting scheme is O(n 1+β/2 log 2 n). Theorem 4.4. Let G = (V, E) be a graph with n vertices and with at most n 1+β edges for some constant 0 β < 1. Then, there is a linear secret-sharing scheme realizing G with total share size O(n 1+β/2 log 3 n). Proof. To simplify notation, assume that n is a power of 2. As in [10], we cover G by log n bipartite graphs, each graph having at most n 1+β edges. We assume that V = {v 1,..., v n }, and for a vertex v i we consider i as a binary log n string i = (i 1,..., i log n ). For every 1 t log n, we define the bipartite graph H t = (A t, B t, F t ) as the subgraph of G in which A t is the set of vertices whose t-th bit is 0, B t is the set of vertices whose t-th bit is 1, and F t = E (A t B t ), i.e., F t is the set of edges in E between the vertices of A t and B t. To share a secret s, for every 1 t log n, we share s independently using the secret-sharing scheme of Theorem 4.3 realizing the bipartite graph H t with total share size O(n 1+β/2 log 2 n). Since we use log n schemes, the total share size in the scheme realizing G is O(n 1+β/2 log 3 n). For an edge (v i, v j ) E, where i = (i 1,..., i log n ) and j = (j 1,..., j log n ), there is at least one 1 t log n such that i t j t, thus, (v i, v j ) F t and {v i, v j } can reconstruct the secret using the shares of the scheme realizing H t. If (v i, v j ) / E, then (v i, v j ) / F t for every 1 t log n, and, hence, {v i, v j } have no information on the secret. 5 Secret-Sharing Schemes for Dense Graphs In this section we study forbidden graph access structures of dense graphs. The main result of this section is Theorem 5.5, where for every dense graph we present

18 18 A. Beimel, O. Farràs, Y. Mintz and N. Peter a linear secret-sharing scheme realizing its forbidden graph access structure. For sparse graphs, we designed a general construction starting from a basic secret-sharing scheme, described in Lemma 3.2. For dense graphs, we follow the same strategy, replacing the basic construction with a different scheme, given in Lemma 5.1. Lemma 5.1. Let G = (A, B, E) be a bipartite graph with A = m, B = n, such that the degree of every vertex in B is at least m d. Then, there is a linear secret-sharing scheme realizing G with total share size 2n + (d + 1)m. Proof. Denote A = {a 1,..., a m }, B = {b 1,..., b n }. Let G = (A, B, E) be the bipartite complement of G, and let V 1,..., V m F d+1 be the linear subspaces of dimension d and z 1,..., z n, w F d+1 be the vectors guaranteed by Claim 3.1 for the graph G. As proved in Claim 3.1, z j V i if and only if (a i, b j ) / E and w / V i for every 1 i m. Next, we construct a monotone span program where there are d + 1 rows labeled by a i for every 1 i m and two rows labeled by b j for every 1 j n. Let {v i,1,..., v i,d } be a basis of V i. The rows labeled by a i are (0, 0, v i,1 ),..., (0, 0, v i,d ), (0, 1, 0,..., 0) and the rows labeled by b j are (0, 0, z j ) and (1, 0,..., 0). We take (1, 1, w) as the target vector. We first prove that the span program accepts an edge (a i, b j ) E. Since (a i, b j ) E, it holds that z j / V i and so the dimension of span {z j, v i,1,..., v i,d } is 1 plus the dimension of V i, i.e., span {z j, v i,1,..., v i,d } = F d+1, and in particular, w span {z j, v i,1,..., v i,d }. Thus, (1, 1, w) is in the span of the vectors labeled by a i and b j. We next prove that this monotone span program does not accept any pair (a i, b j ) / E where a i A and b j B. By Claim 3.1, w / V i. Since (a i, b j ) / E, it holds that z j V i and so w / span {z j, v i,1,..., v i,d } = V i. Thus, (1, 1, w) is not in the span of the vectors labeled by a i and b j Furthermore, two vertices from the same part do not span (1, 1, w): For two vertices in A, this follows since the first coordinate in all vectors they label is 0. For two vertices in B, this follows since the second coordinate in the vectors they label is 0. Therefore, the monotone span program accepts G. Lemma 5.2. Let G = (A, B, E) be a bipartite graph with A = n, B n, and let G = (A, B, E) be the bipartite complement of G. If the degree of B in G is at most d, for some d satisfying d n and d B n log 2 n, then there is a linear secret-sharing scheme realizing G with total share size O( n B d log n). Proof. We use the techniques presented in the proof of Lemma 4.1. We take δ = log n d, γ = log n B, α = γ 2 δ 2, and l = 2n1 α ln n. By the proof of Lemma 4.1, there exist sets A 1,..., A l A of size n α that satisfy: (I) l i=1 A i = A, and (II) for every 1 i l, the degree of the vertices in B in the graph G i = (A i, B, E (A i B)) is at most 12n α+δ 1.

Similar documents

Characterizing Ideal Weighted Threshold Secret Sharing

Characterizing Ideal Weighted Threshold Secret Sharing Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel Tamir Tassa Enav Weinreb October 2, 2006 Abstract Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret

More information

On Linear Secret Sharing for Connectivity in Directed Graphs

On Linear Secret Sharing for Connectivity in Directed Graphs On Linear Secret Sharing for Connectivity in Directed Graphs Amos Beimel 1 and Anat Paskin 2 1 Dept. of computer science, Ben-Gurion University, Beer Sheva, Israel. 2 Dept. of computer science, Technion,

More information

Characterizing Ideal Weighted Threshold Secret Sharing

Characterizing Ideal Weighted Threshold Secret Sharing Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel Tamir Tassa Enav Weinreb August 12, 2004 Abstract Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret

More information

Conditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate

Conditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate Conditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate Benny Applebaum, Barak Arkis December 25, 2017 Abstract Consider the following secret-sharing problem. Your

More information

Lecture Notes on Secret Sharing

Lecture Notes on Secret Sharing COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material

More information

BOUNDS ON THE INFORMATION RATIOS OF SECRET SHARING SCHEMES FOR CLOSE ACCESS STRUCTURES

BOUNDS ON THE INFORMATION RATIOS OF SECRET SHARING SCHEMES FOR CLOSE ACCESS STRUCTURES BOUNDS ON THE INFORMATION RATIOS OF SECRET SHARING SCHEMES FOR CLOSE ACCESS STRUCTURES ORIOL FARRÀS JORDI RIBES GONZÁLEZ SARA RICCI Universitat Rovira i Virgili, Catalonia, Spain Workshop on Mathematics

More information

Characterizing Ideal Weighted Threshold Secret Sharing

Characterizing Ideal Weighted Threshold Secret Sharing Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel 1, Tamir Tassa 1,2, and Enav Weinreb 1 1 Dept. of Computer Science, Ben-Gurion University, Beer Sheva, Israel. 2 Division of Computer

More information

Secret Sharing. Qi Chen. December 14, 2015

Secret Sharing. Qi Chen. December 14, 2015 Secret Sharing Qi Chen December 14, 2015 What is secret sharing? A dealer: know the secret S and distribute the shares of S to each party A set of n parties P n {p 1,, p n }: each party owns a share Authorized

More information

On the Cryptographic Complexity of the Worst Functions

On the Cryptographic Complexity of the Worst Functions On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,

More information

Resource-efficient OT combiners with active security

Resource-efficient OT combiners with active security Resource-efficient OT combiners with active security Ignacio Cascudo 1, Ivan Damgård 2, Oriol Farràs 3, and Samuel Ranellucci 4 1 Aalborg University, ignacio@math.aau.dk 2 Aarhus University, ivan@cs.au.dk

More information

Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary

Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,

More information

Efficient Conversion of Secret-shared Values Between Different Fields

Efficient Conversion of Secret-shared Values Between Different Fields Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a

More information

ON THE POWER OF NONLINEAR SECRET-SHARING

ON THE POWER OF NONLINEAR SECRET-SHARING ON THE POWER OF NONLINEAR SECRET-SHARING AMOS BEIMEL AND YUVAL ISHAI Abstract. A secret-sharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized

More information

On the Power of Nonlinear Secret-Sharing

On the Power of Nonlinear Secret-Sharing On the Power of Nonlinear Secret-Sharing (PRELIMINARY VERSION) Amos Beimel Dept. of Computer Science Ben-Gurion University Beer-Sheva 84105, Israel beimel@cs.bgu.ac.il Yuval Ishai DIMACS and AT&T Labs

More information

Essentially Optimal Robust Secret Sharing with Maximal Corruptions

Essentially Optimal Robust Secret Sharing with Maximal Corruptions Essentially Optimal Robust Secret Sharing with Maximal Corruptions Allison Bishop 1, Valerio Pastro 1, Rajmohan Rajaraman 2, and Daniel Wichs 2 1 Columbia University 2 Northeastern University November

More information

Near-Optimal Secret Sharing and Error Correcting Codes in AC 0

Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret

More information

Detection of Cheaters in Non-interactive Polynomial Evaluation

Detection of Cheaters in Non-interactive Polynomial Evaluation Detection of Cheaters in Non-interactive Polynomial Evaluation Maki Yoshida 1 and Satoshi Obana 2 1 Osaka University, Japan 2 Hosei University, Japan Abstract. In this paper, we consider both theoretical

More information

Distribution Design. Ariel Gabizon. Amos Beimel. Eyal Kushilevitz.

Distribution Design. Ariel Gabizon. Amos Beimel. Eyal Kushilevitz. Distribution Design ABSTRACT Amos Beimel Dept. of Computer Science Ben Gurion University amos.beimel@gmail.com Yuval Ishai Dept. of Computer Science Technion and UCLA yuvali@cs.technion.ac.il Motivated

More information

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds 1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer

More information

From Secure MPC to Efficient Zero-Knowledge

From Secure MPC to Efficient Zero-Knowledge From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time

More information

Generalized Oblivious Transfer by Secret Sharing

Generalized Oblivious Transfer by Secret Sharing Generalized Oblivious Transfer by Secret Sharing Tamir Tassa Abstract The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds

More information

Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy

Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping

More information

Efficient Secret Sharing Schemes Achieving Optimal Information Rate

Efficient Secret Sharing Schemes Achieving Optimal Information Rate Efficient Secret Sharing Schemes Achieving Optimal Information Rate Yongge Wang KINDI Center for Computing Research, Qatar University, Qatar and Department of SIS, UNC Charlotte, USA Email: yonggewang@unccedu

More information

CS Communication Complexity: Applications and New Directions

CS Communication Complexity: Applications and New Directions CS 2429 - Communication Complexity: Applications and New Directions Lecturer: Toniann Pitassi 1 Introduction In this course we will define the basic two-party model of communication, as introduced in the

More information

Optimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants

Optimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants Optimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants Motahhareh Gharahi Shahram Khazaei Abstract We review the problem of finding the optimal information ratios of graph

More information

Introduction to Modern Cryptography Lecture 11

Introduction to Modern Cryptography Lecture 11 Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00

More information

Secret Sharing Schemes

Secret Sharing Schemes Secret Sharing Schemes 1.1 Introduction 1 1 Handling secret has been an issue of prominence from the time human beings started to live together. Important things and messages have been always there to

More information

Breaking the Circuit-Size Barrier in Secret Sharing

Breaking the Circuit-Size Barrier in Secret Sharing Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu MIT Vinod Vaikuntanathan MIT April 4, 2018 Abstract We study secret sharing schemes for general (non-threshold access structures. A general

More information

1 Randomized Computation

1 Randomized Computation CS 6743 Lecture 17 1 Fall 2007 1 Randomized Computation Why is randomness useful? Imagine you have a stack of bank notes, with very few counterfeit ones. You want to choose a genuine bank note to pay at

More information

Secure Multiparty Computation from Graph Colouring

Secure Multiparty Computation from Graph Colouring Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint

More information

Secret-Sharing for NP

Secret-Sharing for NP Secret-Sharing for NP Ilan Komargodski Moni Naor Eylon Yogev Abstract A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of

More information

1 Secure two-party computation

1 Secure two-party computation CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure

More information

Secret Sharing for General Access Structures

Secret Sharing for General Access Structures SECRET SHARING FOR GENERAL ACCESS STRUCTURES 1 Secret Sharing for General Access Structures İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk Abstract Secret sharing schemes (SSS) are used to distribute

More information

Ad Hoc PSM Protocols: Secure Computation Without Coordination

Ad Hoc PSM Protocols: Secure Computation Without Coordination Ad Hoc PSM Protocols: Secure Computation Without Coordination Amos Beimel 1(B), Yuval Ishai 2,3, and Eyal Kushilevitz 2 1 Department of Computer Science, Ben Gurion University, Beer Sheva, Israel amos.beimel@gmail.com

More information

Secret Sharing CPT, Version 3

Secret Sharing CPT, Version 3 Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically

More information

Protocols for Multiparty Coin Toss with a Dishonest Majority

Protocols for Multiparty Coin Toss with a Dishonest Majority Protocols for Multiparty Coin Toss with a Dishonest Maority Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer Science and Mathematics

More information

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party

More information

Lecture 16: Communication Complexity

Lecture 16: Communication Complexity CSE 531: Computational Complexity I Winter 2016 Lecture 16: Communication Complexity Mar 2, 2016 Lecturer: Paul Beame Scribe: Paul Beame 1 Communication Complexity In (two-party) communication complexity

More information

Report on PIR with Low Storage Overhead

Report on PIR with Low Storage Overhead Report on PIR with Low Storage Overhead Ehsan Ebrahimi Targhi University of Tartu December 15, 2015 Abstract Private information retrieval (PIR) protocol, introduced in 1995 by Chor, Goldreich, Kushilevitz

More information

On Achieving the Best of Both Worlds in Secure Multiparty Computation

On Achieving the Best of Both Worlds in Secure Multiparty Computation On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure

More information

Winter 2011 Josh Benaloh Brian LaMacchia

Winter 2011 Josh Benaloh Brian LaMacchia Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial

More information

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice

More information

Separating the Power of Monotone Span Programs over Different Fields

Separating the Power of Monotone Span Programs over Different Fields Separating the Power of onotone Span Programs over Different Fields Amos Beimel Enav Weinreb Abstract onotone span programs are a linear-algebraic model of computation They are equivalent to linear secret

More information

Multi-Party Computation with Conversion of Secret Sharing

Multi-Party Computation with Conversion of Secret Sharing Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution

More information

On Secret Sharing Schemes, Matroids and Polymatroids

On Secret Sharing Schemes, Matroids and Polymatroids On Secret Sharing Schemes, Matroids and Polymatroids Jaume Martí-Farré, Carles Padró Dep. de Matemàtica Aplicada 4, Universitat Politècnica de Catalunya, Barcelona, Spain {jaumem,cpadro}@ma4.upc.edu June

More information

Construction of Multiplicative Monotone Span Program

Construction of Multiplicative Monotone Span Program Construction of Multiplicative Monotone Span Program Yuenai Chen, Chunming Tang,2 School of Mathematics and Information Sciences, Guangzhou University, Guangzhou 50006, China 2 Key Laboratory of Mathematics

More information

Nondeterminism LECTURE Nondeterminism as a proof system. University of California, Los Angeles CS 289A Communication Complexity

Nondeterminism LECTURE Nondeterminism as a proof system. University of California, Los Angeles CS 289A Communication Complexity University of California, Los Angeles CS 289A Communication Complexity Instructor: Alexander Sherstov Scribe: Matt Brown Date: January 25, 2012 LECTURE 5 Nondeterminism In this lecture, we introduce nondeterministic

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation

More information

A Lower Bound for the Size of Syntactically Multilinear Arithmetic Circuits

A Lower Bound for the Size of Syntactically Multilinear Arithmetic Circuits A Lower Bound for the Size of Syntactically Multilinear Arithmetic Circuits Ran Raz Amir Shpilka Amir Yehudayoff Abstract We construct an explicit polynomial f(x 1,..., x n ), with coefficients in {0,

More information

Ideal Hierarchical Secret Sharing Schemes

Ideal Hierarchical Secret Sharing Schemes Ideal Hierarchical Secret Sharing Schemes Oriol Farràs Carles Padró June 30, 2011 Abstract Hierarchical secret sharing is among the most natural generalizations of threshold secret sharing, and it has

More information

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits

More information

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Lecture 11: Key Agreement

Lecture 11: Key Agreement Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we

More information

A Linear Round Lower Bound for Lovasz-Schrijver SDP Relaxations of Vertex Cover

A Linear Round Lower Bound for Lovasz-Schrijver SDP Relaxations of Vertex Cover A Linear Round Lower Bound for Lovasz-Schrijver SDP Relaxations of Vertex Cover Grant Schoenebeck Luca Trevisan Madhur Tulsiani Abstract We study semidefinite programming relaxations of Vertex Cover arising

More information

18.10 Addendum: Arbitrary number of pigeons

18.10 Addendum: Arbitrary number of pigeons 18 Resolution 18. Addendum: Arbitrary number of pigeons Razborov s idea is to use a more subtle concept of width of clauses, tailor made for this particular CNF formula. Theorem 18.22 For every m n + 1,

More information

CS Introduction to Complexity Theory. Lecture #11: Dec 8th, 2015

CS Introduction to Complexity Theory. Lecture #11: Dec 8th, 2015 CS 2401 - Introduction to Complexity Theory Lecture #11: Dec 8th, 2015 Lecturer: Toniann Pitassi Scribe Notes by: Xu Zhao 1 Communication Complexity Applications Communication Complexity (CC) has many

More information

Lecture Notes 20: Zero-Knowledge Proofs

Lecture Notes 20: Zero-Knowledge Proofs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties

More information

Secure Computation. Unconditionally Secure Multi- Party Computation

Secure Computation. Unconditionally Secure Multi- Party Computation Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,

More information

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011 Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Lecture 38: Secure Multi-party Computation MPC

Lecture 38: Secure Multi-party Computation MPC Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party

More information

From Private Simultaneous Messages to Zero-Information Arthur-Merlin Protocols and Back

From Private Simultaneous Messages to Zero-Information Arthur-Merlin Protocols and Back From Private Simultaneous Messages to Zero-Information Arthur-Merlin Protocols and Back Benny Applebaum Pavel Raykov Abstract Göös, Pitassi and Watson (ITCS, 2015) have recently introduced the notion of

More information

Breaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval

Breaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval Breaking the O(n 1/(2k 1) ) Barrier for Information-Theoretic Private Information Retrieval Amos Beimel Yuval Ishai Eyal Kushilevitz Jean-François Raymond April 24, 2006 Abstract Private Information Retrieval

More information

On Multi-Partition Communication Complexity

On Multi-Partition Communication Complexity On Multi-Partition Communication Complexity Pavol Ďuriš Juraj Hromkovič Stasys Jukna Martin Sauerhoff Georg Schnitger Abstract. We study k-partition communication protocols, an extension of the standard

More information

Benny Pinkas Bar Ilan University

Benny Pinkas Bar Ilan University Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption

More information

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a

SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, 2018 1 CWI, Amsterdam 2 Aarhus University, Denmark 3

More information

Network Oblivious Transfer

Network Oblivious Transfer Network Oblivious Transfer Ranjit Kumaresan Srinivasan Raghuraman Adam Sealfon Abstract Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we study the possibility

More information

Strongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes

Strongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes Strongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes Zhifang Zhang 1, Mulan Liu 1, Yeow Meng Chee 2, San Ling 2, and Huaxiong Wang 2,3 1 Key Laboratory of Mathematics Mechanization,

More information

Randomized Simultaneous Messages: Solution of a Problem of Yao in Communication Complexity

Randomized Simultaneous Messages: Solution of a Problem of Yao in Communication Complexity Randomized Simultaneous Messages: Solution of a Problem of Yao in Communication Complexity László Babai Peter G. Kimmel Department of Computer Science The University of Chicago 1100 East 58th Street Chicago,

More information

Hierarchical Threshold Secret Sharing

Hierarchical Threshold Secret Sharing Hierarchical Threshold Secret Sharing Tamir Tassa Abstract We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group

More information

Communication vs. Computation

Communication vs. Computation Communication vs. Computation Prahladh Harsha Yuval Ishai Joe Kilian Kobbi Nissim S. Venkatesh October 18, 2005 Abstract We initiate a study of tradeoffs between communication and computation in well-known

More information

Secret sharing schemes

Secret sharing schemes Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret

More information

Lecture 14: Secure Multiparty Computation

Lecture 14: Secure Multiparty Computation 600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine

More information

Communication Complexity and Secure Function Evaluation

Communication Complexity and Secure Function Evaluation Communication Complexity and Secure Function Evaluation arxiv:cs/0109011v1 [cs.cr] 9 Sep 2001 Moni Naor Kobbi Nissim Department of Computer Science and Applied Mathematics Weizmann Institute of Science,

More information

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park in

More information

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin IBM Research, Yorktown Heights, US Abstract. Non-Interactive Multiparty Computations

More information

Sharing DSS by the Chinese Remainder Theorem

Sharing DSS by the Chinese Remainder Theorem Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose

More information

Oblivious Transfer in Incomplete Networks

Oblivious Transfer in Incomplete Networks Oblivious Transfer in Incomplete Networks Varun Narayanan and Vinod M. Prabahakaran Tata Institute of Fundamental Research, Mumbai varun.narayanan@tifr.res.in, vinodmp@tifr.res.in bstract. Secure message

More information

Notes 10: Public-key cryptography

Notes 10: Public-key cryptography MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such

More information

Security in Locally Repairable Storage

Security in Locally Repairable Storage 1 Security in Locally Repairable Storage Abhishek Agarwal and Arya Mazumdar Abstract In this paper we extend the notion of locally repairable codes to secret sharing schemes. The main problem we consider

More information

An exponential separation between quantum and classical one-way communication complexity

An exponential separation between quantum and classical one-way communication complexity An exponential separation between quantum and classical one-way communication complexity Ashley Montanaro Centre for Quantum Information and Foundations, Department of Applied Mathematics and Theoretical

More information

Probabilistically Checkable Arguments

Probabilistically Checkable Arguments Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts

More information

Quantum Communication Complexity

Quantum Communication Complexity Quantum Communication Complexity Ronald de Wolf Communication complexity has been studied extensively in the area of theoretical computer science and has deep connections with seemingly unrelated areas,

More information

Introduction to Cryptography Lecture 13

Introduction to Cryptography Lecture 13 Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple

More information

Testing Graph Isomorphism

Testing Graph Isomorphism Testing Graph Isomorphism Eldar Fischer Arie Matsliah Abstract Two graphs G and H on n vertices are ɛ-far from being isomorphic if at least ɛ ( n 2) edges must be added or removed from E(G) in order to

More information

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness Gilad Asharov Yehuda Lindell Tal Rabin February 25, 2013 Abstract It is well known that it is impossible

More information

Lecture 3,4: Multiparty Computation

Lecture 3,4: Multiparty Computation CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,

More information

1 Indistinguishability for multiple encryptions

1 Indistinguishability for multiple encryptions CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message

More information

Visual Cryptography Schemes with Optimal Pixel Expansion

Visual Cryptography Schemes with Optimal Pixel Expansion Visual Cryptography Schemes with Optimal Pixel Expansion Carlo Blundo, Stelvio Cimato and Alfredo De Santis Dipartimento di Informatica ed Applicazioni Università degli Studi di Salerno, 808, Baronissi

More information

Theory of Computation Chapter 12: Cryptography

Theory of Computation Chapter 12: Cryptography Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

Ideal Hierarchical Secret Sharing Schemes

Ideal Hierarchical Secret Sharing Schemes Ideal Hierarchical Secret Sharing Schemes Oriol Farràs and Carles Padró Universitat Politècnica de Catalunya, Barcelona, Spain. Abstract. Hierarchical secret sharing is among the most natural generalizations

More information

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition

More information

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold

More information

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle

More information

Strongly chordal and chordal bipartite graphs are sandwich monotone

Strongly chordal and chordal bipartite graphs are sandwich monotone Strongly chordal and chordal bipartite graphs are sandwich monotone Pinar Heggernes Federico Mancini Charis Papadopoulos R. Sritharan Abstract A graph class is sandwich monotone if, for every pair of its

More information

A Polynomial-Time Algorithm for Pliable Index Coding

A Polynomial-Time Algorithm for Pliable Index Coding 1 A Polynomial-Time Algorithm for Pliable Index Coding Linqi Song and Christina Fragouli arxiv:1610.06845v [cs.it] 9 Aug 017 Abstract In pliable index coding, we consider a server with m messages and n

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback